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Preface 


Welcome to Qualys Cloud Platform! In this guide, we’ll show you how to install and use the 
Qualys Web App Scanning Connector to see your Qualys WAS scan data in Jenkins. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical security 
intelligence on demand and automating the full spectrum of auditing, compliance and 
protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed service 
providers and consulting organizations including Accenture, BT, Cognizant Technology 
Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, Optiv, 
SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding 
member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your questions 
will be answered in the fastest time possible. We support you 7 days a week, 24 hours a day. 
Access support information at www.qualys.com/support/ 
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Introduction to Qualys Web App Scanning Connector for Jenkins 


The Qualys Web App Scanning Connector empowers DevOps teams to build application 
vulnerability scans into their existing CI/CD processes. By integrating scans in this manner, 
application security testing is accomplished earlier in the SDLC to catch and eliminate security 
flaws. 


Note - Qualys Web App Scanning Connector supports Jenkins version 2.204.1 or greater. 


We'll help you: Install the Plugin | Configure the Plugin 


Install the Plugin 


You can install the Qualys Web App Scanning Connector in two ways. Install the plugin from 
within Jenkins or download the plugin from Qualys and then install the plugin into your Jenkins 
instance. 


We do not support plugin upgrade from version 2.0.2 to 2.0.3 and above. To install plugin 
with a version higher than 2.0.2, you need to uninstall the older plugin version and then re- 
configure their existing jobs post installing WAS plugin. 


Install the Plugin from Jenkins 


To install the Qualys Web App Scanning Connector from Jenkins, log into your instance of 
Jenkins and click Manage Jenkins. 


Jenkins 


E New Item 

& People 

> Build History 

Q, Project Relationship 


$= Check File Fingerprint 


a Manage Jenkins 
& My views 
À Credentials 


BB New View 


Next, click Manage Plugins. 


Qualys Web App Scanning Connector for Jenkins 4 


Tẹ Jenkins d 


Jenkins 
= erea 
& People Manage Jenkins 
Global Tool Configuration 
f ò Configure tools, their locations and automatic installers. 


A Reload Configuration from Disk 
Discard all the loaded data in memory and reload everything from file system. Useful w! 


Manage Plugins 
Add, remove, disable or enable plugins that can extend the functionality of Jenkins 
A There are updates available 


M System Information 
Displays various environmental information to assist trouble-shooting. 


DA, à, Mitt Mle À, in Ù 


| == 
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If you are installing the Qualys Web App Scanning Connector for the first time, click the 
Available tab and search for the plugin using the Filter bar. Select the plugin and click either 
Install without restart or Download now and Install after restart. 


After the Qualys Web App Scanning Connector is installed, it will be listed in the Installed tab. 


Filter | , Qualys Web | 


s (at — nes 
Install | Name Version 


Qualys Web App Scanning Connector 


Provides a post-deploy step to run a vulnerability scan using the Qualys Web Application Scanning (WAS) service 


install without restart Download now and install after restart Update information obtained: 1 hr 37 min ago 


If the plugin is already installed in Jenkins and you want to update the plugin, go to the Updates 
tab, search for the Qualys Web App Scanning Connector and click “Download now and Install 
after restart”. 


Note that the plugin is also listed in the plugin store at https://plugins.jenkins.io/. 


Download and Install the plugin 


Optionally, you can download the plugin from Qualys. The plugin comes in the form of a -hpi 
file. You can find it here at https://community.qualys.com/docs/DOC-6384. 


Once you have the .hpi file, log into your instance of Jenkins and click Manage Jenkins > Manage 
Plugins. Go to the "Advanced" tab. 


Browse to select the .hpi file you downloaded and click the Upload button. Upload will auto- 
upgrade your current version of plugin to the installed version. 
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Upload Plugin 


You can upload a .hpi file to install a plugin from outside the central plugin repository 


File: | Choose File | No file chosen 


| Upload ) 


Confirm that the Success message appears. You must restart Jenkins to complete the plugin 
installation. 


Installing Plugins/Upgrades 


Preparation 


qualys-was v qualys-was plugin is already installed. Jenkins needs to be restarted for the update to take effect 


> Go back to the top page 
(you can start using the installed plugins right away) 


® © Restart Jenkins when installation is complete and no jobs are running 


That’s it! The installation is now complete. Read on to learn about configuring the plugin. 


Configure the Plugin for Pipeline projects 


Open your application’s pipeline project and click "Pipeline Syntax" to enter the Snippet 
Generator. 


@ Jenkins 


Jenkins Demo4 


4% Back to Dashboard 
Q, Status 


22 Changes 


@) Build Now 
© Delete Pipeline 


Ped Configure 
Q, Full Stage View 


T> Rename 


© Pipeline Syntax 


Select "qualysWASScan: Scan web applications with Qualys WAS" from the drop-down menu. 


Overview 


This Snippet Generator will help you learn the Pipeline Script code which can be used to define various steps. Pick a step you are interested in from the list, configure it, click Generate Pipeline 
Script, and you will see a Pipeline Script statement that would call the step with that configuration. You may copy and paste the whole statement into your script, or pick up just the options you care 
about. (Most parameters are optional and can be omitted in your script, leaving them at default values.) 


Steps 


Sample Step qualysWASScan: Scan web application with Qualys WAS w. 


Now you are ready to configure the plugin. The first step is to confirm that Jenkins can 
communicate to the Qualys Cloud Platform via the WAS API. You’ll need valid account 
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credentials for an active Qualys WAS subscription. The account must have API access enabled 
as well as a role assigned with all necessary permissions. Qualys recommends using a service 
account restricted to API access only (no UI access) and having the least privileges possible. 


Select the Qualys platform/portal where your Qualys account resides and your account 
credentials for authenticating to the WAS API server. Use the Add button to add account 
credentials in the Jenkins store for the new user. Once added, the credential is listed in the 
“Credentials” drop-down. 


Note that what you select here depends on the Qualys platform your organization is using. Learn 
more. 


If your Jenkins instance does not have direct Internet access and a proxy is required, click the 
"Use Proxy Settings” checkbox and enter the required information. 


API Login 
Provide details for accessing the Qualys WAS API. 


Your Qualys Portal US Platfomi  v| © 


Credentials tamde aw/****** ps ‘es iiis © 


| Use Proxy Settings 
Test Connection 


Click the "Test Connection" button. Assuming you have selected the correct platform for your 
subscription and the credentials are valid, you will see the message "Connection test 
successfull". 


Note that if your Qualys account resides on a private cloud platform, select “Private Cloud 
Platform” as your Qualys cloud platform, specify the API server URL and your account 
credentials to access the API. 


API Login 
Provide details for accessing the Qualys WAS API. 


Your Qualys Portal Private Cloud Platform ¥ | © 
API Server URL: https://qualysapi mycloud.com © 
Credentials quays ct51/=="" (CS test ac on POD01) v| Add ~ © 
Use Proxy Settings 
Test Connection 


Next, select the web application in Qualys WAS that you wish to scan. 


Launch Scan API Parameters 


Provide information required to launch the scan 


Select Web Application from WAS Qualys - QA Lab - Demo 6 7 © 
Scan Name [job_name]_jenkins_build_[build_number] © 
Scan Type | VULNERABILITY ¥ | 


By default, the WAS scan name will be: 
[job_name]_jenkins_build_[build_number] + timestamp 


You can edit the scan name, but a timestamp will automatically be appended regardless. 
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You can choose to run a Discovery scan or Vulnerability scan. The default is Vulnerability scan. 


Next, configure optional scan parameters. 


Optional Parameters 


Provide Optional API parameters required to call LaunchScanAPI 


Authentication Record Use Default Y 


Option Profile Use Default ¥ 


© © © 


Cancel Options None x 


Authentication Record - You can choose to run the scan without authentication (the default) but 
keep in mind the scanner will not be able to log into the web application and test the 
authenticated surface area of the application in that case. You may instead want to select "Use 
Default", in which case the default authentication record for the web app in WAS (if any) will be 
used. Optionally, you can also select the Other option and choose a specific authentication 
record ID if desired. 


Option Profile - The option profile contains the various scan settings such as the vulnerability 
types that should be tested (detection scope), scan intensity, error thresholds, etc. Selecting "Use 
Default" will use the default option profile for the web app in WAS. This is the recommended 
setting; however, you can also select the Other option and choose a specific option profile ID if 
desired. 


Cancel Options — The default is not to cancel the scan, in which case the scan will run to 
completion. However, you can choose to the cancel the scan after a set number of hours. Keep in 
mind you may not get any results if the scan is canceled before finishing. 

Next, configure the pass/fail criteria for a build, scan status polling frequency and timeout 
duration for the scan. 
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Next configure the scan pass/fail criteria to fail a build job. 


Configure Scan Pass/Fail Criteria 


Set the conditions to fail the build job. The build will fail when ANY of conditions are met 


Failure Conditions 


By Vulnerability Severity © 
# Fail with more than 5 severity 1 NOTE: Severity 1 rating is least severe and severity 5 is most severe 


Fail with more than 0 severity 2 


Fail with more than 0 severity 3 
Fail with more than 0 severity 4 
Fail with more than 0 severity 5 
By Qualys WAS Vulnerability Identifiers (QIDs) [2] 


Fail the build if WAS could not scan the web application 


Timeout Settings 
Qualys WAS Scan results will be collected per these settings. For each enter a value in minutes or an expression like 2*60 for 2 hours 


Frequency 

How often to check for data 5 minutes. © 
Timeout 

How long to wait for scan results | 50224 minutes. © 


You can set conditions to fail a build by 1) Vulnerability Severity, 2) Qualys WAS Vulnerability 
Identifiers (QIDs). You may also choose to fail the build in case the Plugin initiates the scan but 
WAS module could not complete this scan due to some issues such as scanners not found and so 
on. If any of these conditions are satisfied, then build is failed. 


To fail the build by vulnerability severity, specify the count of vulnerabilities for one or more 
severity types. A build will fail if in scan results the number of detections exceeds the number 
specified for one or more severity types. For example, to fail a build if severity 5 vulnerabilities 
count is more than 2, select the “Fail with more than severity 5” option and specify 2. 


Note that a Qualys severity “5” rating is the most dangerous vulnerability while severity “1” is the 
least. 


Similarly, to fail a build by QIDs, select “Fail with any of these QIDs” check box and specify one 
or more QIDs in Fail with any of these QIDs. 


In the Timeout settings, specify the polling frequency in minutes for collecting the WAS scan 
status data and the timeout duration for a running scan. 
Next, click "Generate Pipeline Script". This is your pipeline snippet for launching a WAS scan. 


Generate Pipeline Script 


qualysWASScan authRecord: 'useDefault’, cancelOptions: ‘none’, credsid: '4a84332f-d6f8-472b-96b9-61b0d81e039f, optionProfile: 'useDefault', 
platform: 'US_PLATFORM_1', pollinginterval: '5', proxyPassword: '2d2822980dc64922b3e19a79a12ec46f, proxyPort: 3128, proxyServer: 
'10.115.27.54', proxyUsername: ‘admin’, scanName: '‘[job_name]_jenkins_build_[build_number]', scanType: VULNERABILITY’, useProxy: true, 
vulns Timeout: '60*24', webAppld: "21325" 


The pipeline snippet is now ready to be plugged into your pipeline script. 
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Configure the Plugin for Freestyle Projects 


As the configuration settings are same as Pipeline Project, see “Configure the Plugin Pipeline 
Project” for detailed configuration. 


Provide the following configuration details: 
1) Provide your login account credentials to access the Qualys WAS API server on the Qualys 


cloud platform. Select Use Proxy Settings to provide proxy information if your Jenkins server is 
behind a firewall. 


NO 


Click Test Connection to verify that the plugin can connect to the Qualys WAS API server. 


3) Provide parameters: web application name, scan name and scan type required to call the 
launch scan API. 


i 


Optional parameters that you can pass to launch scan API. 


5) Build fail conditions by vulnerabilities detected for severity types and by QIDs. Provide data 
collection frequency and timeout duration for the running scan. Finally, click Save. 


API Login 


ea L 


° 
Mjh merj e 
© 
Optional Parameters (4) 
Frovioe Opboea API parameters required io call LaunctcanaPt 
.® 
.® 
he si WAS Op e 
nore .® 
Configure Scan Pass/Fail Criteria 6 
Faure Coeawons 
Dy Vunerabity Severty e 
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Qualys WAS Scan Status 


After the scan completes, the Summary tab will show two sections: Vulnerabilities and Pass/Fail 
Criteria Results Summary. Summary section shows graphical data for the number of 
vulnerabilities by severity types for the Web application. Pass/Fail Criteria Results Summary 
shows the pass/fail criteria and whether they are violated or satisfied. When the criteria are 


violated, the X icon is shown while for satisfied criteria, the Y icon is shown. 


Click the link shown in the Scan Report field to view the detailed WAS scan report on the Qualys 
portal. 


=f Jenkins 


WAS Freestyle "1 Qualys WAS Scan Status 
© Qualys 
Scan ID: Scan Name 
` 
Scan Status: FINISHED | Scan Report | 
L - J 
Scan Reference: 2 a Target URL: 
Results Summary Results Stats Vulnerabilities (5) 


kama 
c mn 
= 
Pass/Fail Criteria Results Summary 
QDs Severity 5 Severity 4 Severity 3 Severity 2 Severity 1 
x v y x x x 


Move the mouse over the X and Y icons to view the value that you have configured for the 
criteria, and the actual value obtained after the scan. 


® Jenkins 


WAS Freestyle “1 Qualys WAS Scan Status 
© Qualys. 
Sean 1D: 237 Scan Name: 5 fre 
Scan Status: FINISHED Scan Report 
Scan Reference a: Target URL 
Results Summary Results Stats Vulnerabilities (5) 


Lol 
= 
= 
= 
Pass/Fail Criteria Results Summary 
m~ 
| ans ) Severity 5 Severity 4 Severity 3 Severity 2 Severity 1 
x C4 y x x x 


1,150124,150179 0108 
4 


Qualys Web App Scanning Connector for Jenkins 11 


The Vulnerabilities tab is available to provide you the details of vulnerabilities, such as QIDs, 
vulnerability titles, severity (All, (1-5)) URLs where the vulnerabilities occur and authentication 
status. 


At the top, on the right side, the Severity filter lets you find vulnerabilities by their severity. 
Select Breaking Vulnerabilities check box to list the vulnerabilities because of which the build 
has failed. Breaking Vulnerabilities are those vulnerabilities that match the failure conditions 
that you have configured and because of which the build got failed. 


® Jenkins 


© Qualys. 


WAS-208-Freestyle-263 #9 Qualys WAS Scan Status 


QUALYS VULNERABILITIES RESULTS 


Summary 
Vulnerabilities Stow [o ¥] cidre Show Only: Severity [ary] [_] Breaking Vulnerabilities Reset Filters 
QID Title Severity URL — 
Unauthenticated? 
150004 x Path-Based Vulnerability 2 http://zero.webappsecurity.com/README.txt Yes 
150004 x Path-Based Vulnerability 2 http://zero.webappsecurity.com/docs/ Yes 
150004 x Path-Based Vulnerability 2 http://zero.webappsecurity.com/errors/ Yes 
150004 x Path-Based Vulnerability 2 http://zero.webappsecurity.com/index.html.old Yes 
150004 x Path-Based Vulnerability 2 http://zero.webappsecurity.com/admin/ Yes 
150023 x Directory Listing 2 http://zero.webappsecurity.com/errors/ Yes 
150053 Login Form Is Not Submitted Via HTTPS 4 http://zero.webappsecurity.com/signin.html Yes 
150081 X-Frame-Options header is not set 1 http://zero.webappsecurity.com/forgot-password.html Yes 
150081 X-Frame-Options header is not set 1 http://zero.webappsecurity.com/index.html Yes 
150081 X-Frame-Options header is not set 1 http://zero.webappsecurity.com/ Yes 
Showing 1 to 10 of 24 entries Previous 1 2 3 Next 
X- Denotes the "Breaking Vulnerabilities” as per the configured fail criteria 
Troubleshooting 


You entered valid Qualys credentials, but the drop-down menu to select a Web application 
is empty or does not show the desired Web application. 


This issue occurs when the Qualys account provided does not have proper role or scope to access 
the web application you wish to scan. Ensure that the account has been set up with the required 
roles and scope to access the desired Web application. 


You entered valid Qualys credentials, but the drop-down menu for Authentication Record 
Name or Profile Name is empty or does not show the desired item. 


This issue occurs when the Qualys account provided does not have proper role or scope to access 
the auth record or option profile you wish to use. Ensure that the account has been set up with 
the required roles and scope to access the desired authentication record or option profile. 
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URL to the Qualys API Server 


The Qualys API URL you should use for API requests depends on the Qualys platform where your 
account is located. 


Click here to identify your Qualys platform and get the API URL. 
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What’s New 


Improvements in 2.0.7 


With this release, we will use the upgraded third-party library for rendering graphical charts that 
are used for displaying WAS scan results in the Jenkins scan report section. 


Improvements in 2.0.8 


- With this release, we have added 2 new filters: Severity and Breaking Vulnerabilities in the 
Vulnerabilities tab on the “Qualys Vulnerabilities Results” screen. The Severity filter lets you 
find vulnerabilities by their severity. Select Breaking Vulnerabilities check box to list the 
vulnerabilities because of which the build has failed. 


- We have added a new column Severity in the table in the in the Vulnerabilities tab on the 
“Qualys Vulnerabilities Results” screen to show the severity information of the vulnerability. 
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